On Mon, Apr 29, 2019 at 04:56:27PM +0200, Felix Geyer wrote: > Hi, > > On 24.04.19 21:33, Salvatore Bonaccorso wrote: > > Hi Kari, > > > > On Wed, Apr 24, 2019 at 07:15:44PM +0300, Kari Pahula wrote: > > > Hi. > > > > > > I've ported the CVE patches from Debian LTS for libsdl1.2 in unstable. > > First thanks for working on the issues! > > > > I have not reviewed your patches, but just a remark. Never just > > forward-port a patchset from an older suite to newer (although the > > version is identical here). > > > > Furthermore as Moritz pointed out, at time of writing the bugreport, > > only some of the bugs got patches, but not all were merged upstream, > > several of the CVEs got later on upstream patches rather then > > previously linked ones from the bugzilla. We should base the upload > > based on the current upstream patches which by now should be complete > > (but double check the updated references in the security-tracker). > > > Unfortunately there are still some bug reports without merged fixes. > I've kept the Debian security tracker up-to-date in this regard > (the CVEs with committed patches have a link to them).
For sdl-image1.2 we can already go ahead with an unstable upload, right? The only issue affecting it, was merged. Cheers, Moritz